Tuesday, June 16, 2009

Cligs URL Shortening - I Told You So

Remember a few months ago when I wrote about the "big picture" behind why tinyURL.com's service is such a huge target for security vulnerabilities? [URL Shortening Services - the Bigger Picture] I almost hate to say this but... I told you so.

Well folks on June 15th Cligs has been hacked. The Short URL provider "cli.gs" has been exploited and hacked and the malicious user pointed every single one of the 2.2Million URLs in the database to freedomblogging .com (broken on purpose, I don't want to drive those twits any more traffic). The method of the hack is irrelevant, although speculation is that it was done via an unspecified hole in the edit functionality on the website, which is currently disabled.

From the cli.gs blog:

Late last night/early this morning, a security hole in the cligs editing functionality was discovered and was exploited by a malicious attacker. The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com. The attacker’s IP address appears to have from Canda.

I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then. My daily backups with my host were turned off for some reason, which is another story.

Think about it. 2.2 million URLs were affected.

On the Cligs blog, there is a post from May 8th about how Cligs is the 4th most popular URL Shortening Service on Twitter - I wonder if the hacker read that and found it a great place to start hacking away?

No matter what the implications, and let me say that after a quick glance FreedomBlogging does not appear to be a malicious site, simply a link landing page, this should seriously serve as a wake-up call for those of you who click on URL shorteners out there on twitter... and those who run these services. Secure your sites, watch what you're clicking... it's only a matter of time.

Cligs staff were unreachable for immediate comment either via Twitter or via the blog Contact Us page... as soon as someone replies I will post it here - stay tuned!

HelpNetSecurity is also running a story about this...

No comments: